[go-fan] Go Module Review: securego/gosec

[github-actions[bot]]

🐹 Go Fan Report: securego/gosec

github.com/securego/gosec/v2 is the Go security static analysis tool that scans Go AST and SSA code for security vulnerabilities. It's a cornerstone of the security posture here — run daily in CI and available locally via make security-gosec. Version v2.25.0 was released on 2026-03-19, making it the most recently updated direct dependency and today's review target.

Module Overview

gosec inspects Go source for issues across seven rule families:

• G1xx — credentials, unsafe usage, HTTP/cookie hardening
• G2xx — injection risks (SQL, template, command)
• G3xx — file/path handling (permissions, traversal, archives)
• G4xx — crypto and TLS weaknesses
• G5xx — blocklisted imports
• G6xx — Go-specific correctness (range aliasing, slice bounds)
• G7xx — taint analysis (SQLi, CMDi, path traversal, SSRF, XSS, log injection)

Current Usage in gh-aw

gosec is integrated as a CLI tool dependency via the Go tools pattern (tools.go blank import with //go:build tools), tracked at v2.25.0 in go.mod.

• Files: 1 (tools.go import), referenced in Makefile + security-scan.yml
• Invocations: make security-gosec (JSON output) and daily GitHub Actions (SARIF → GitHub Security)
• Global exclusions: G101, G115, G204, G602, G301, G302, G304, G306
• Inline suppressions: 5 //nolint:gosec // G101 annotations across workflow compiler files

Research Findings

Recent Updates (v2.22.11 → v2.25.0)

The CI workflow currently installs v2.22.11 and the Makefile installs v2.23.0 — both behind the v2.25.0 tracked in go.mod. Notable changes in the gap:

• G124 — new rule: insecure HTTP cookie configuration
• G708 — new rule: server-side template injection via text/template
• G709 — new rule: unsafe deserialization of untrusted data
• Multiple G118 false positive fixes (context cancel func tracking)
• G120 ported to taint analysis for better accuracy
• --exclude-rules path-based exclusion CLI flag added
• CWE-117 (log injection) and CWE-918 (SSRF) mappings for SARIF
• AI-assisted auto-fix feature (Gemini, Claude, OpenAI)

Best Practices

• //gosec:disable G101 -- justification is the preferred suppression format; justification text is captured in SARIF output when using -track-suppressions
• Config file (gosec.json) can centralize all exclusions, reducing drift across multiple invocation points
• --exclude-rules supports path-specific rule exclusions natively, no need to maintain parallel lists in golangci-lint

Improvement Opportunities

🚨 Critical Fix

Version mismatch across all three invocation points:

Location	Version
go.mod	v2.25.0 ✅
Makefile (security-gosec)	v2.23.0 ❌
.github/workflows/security-scan.yml	v2.22.11 ❌

Developers running make security-gosec and CI are scanning with different rules than what's tracked. The new G124/G708/G709 rules and G118 false-positive fixes are absent in both environments. Fix: update both pinned versions to v2.25.0.

🏃 Quick Wins

//nolint:gosec annotations are ineffective for direct gosec runs.

The project uses //nolint:gosec // G101: False positive... in 5 places (checkout_manager.go ×3, compiler_safe_outputs_steps.go, safe_outputs_config_helpers.go). Since gosec is disabled in golangci-lint and run directly, //nolint:gosec has no effect on the direct binary — it's a golangci-lint directive. G101 is currently covered by the global -exclude=G101 flag, but if that exclusion is ever tightened, these inline suppressions silently won't work.

Switch to gosec's native format so suppressions are tracked in SARIF:

// Before (golangci-lint only, ineffective for direct gosec):
//nolint:gosec // G101: False positive - GitHub Actions template

// After (works for both golangci-lint and direct gosec, tracked in SARIF):
//gosec:disable G101 -- False positive: GitHub Actions expression template placeholder, not a hardcoded credential

✨ Feature Opportunities

Centralize exclusions with a gosec config file.

The exclusion list is duplicated in three places with a fragile "keep in sync" comment:

• .golangci.yml linters-settings.gosec.exclude
• Makefile -exclude=G101,G115,G204,G602,G301,G302,G304,G306
• .github/workflows/security-scan.yml same -exclude= list

Use a gosec.json config file and pass -conf gosec.json in both invocations. The exclude-rules block in that config can also replace the 20+ individual path-specific exclusion entries currently in .golangci.yml.

Use path-based exclusions for test file patterns.

The new --exclude-rules feature (or config equivalent) can replace repetitive patterns like:

{
  "exclude-rules": [
    { "path": ".*_test\\.go", "rules": ["G104", "G306"] },
    { "path": "pkg/cli/actionlint\\.go", "rules": ["G204"] },
    { "path": "pkg/cli/logs_download\\.go", "rules": ["G305", "G110"] }
  ]
}

📐 Best Practice Alignment

Review new G7xx taint analysis coverage.

v2.25.0 brings G124, G708, G709 which aren't in the current global exclusion list. The daily CI scan will now produce findings for these rules. Worth auditing the SARIF results to determine whether any are real issues (HTTP cookies, template injection, unsafe deserialization) or if they need path-specific suppression.

Consider -tests flag.

Currently gosec doesn't scan test files (-tests is not passed). The .golangci.yml has many test-file gosec exclusions, but these only apply to the golangci-lint path (where gosec is disabled). Enabling -tests in direct gosec runs with appropriate path exclusions would give full coverage.

Recommendations

1. [High] Update Makefile and security-scan.yml to install gosec@v2.25.0 to match go.mod
2. [Medium] Replace //nolint:gosec with //gosec:disable G101 -- justification for the 5 inline suppressions
3. [Medium] Create a gosec.json config file and consolidate the three exclusion lists into one
4. [Low] Audit new G124/G708/G709 findings from CI SARIF to classify as real issues or suppressions
5. [Low] Evaluate adding -tests flag with path-based test exclusions for full coverage

Next Steps

• Check the latest daily security scan SARIF results in GitHub Security for any new G124/G708/G709 findings
• Open a small PR to fix the version mismatch (Makefile + workflow)
• Consider consolidating gosec config as a follow-up refactor

---

Module summary saved to: scratchpad/mods/gosec.md

References:

• §23837214855

AI generated by Go Fan · history

• expires on Apr 2, 2026, 7:36 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Go Fan.

A newer discussion is available at Discussion #24035.